US12095814B2ActiveUtilityA1

Phishing website detection by checking form differences followed by false credentials submission

Assignee: NuRD LLCPriority: Aug 22, 2018Filed: Feb 18, 2022Granted: Sep 17, 2024
Est. expiryAug 22, 2038(~12.1 yrs left)· nominal 20-yr term from priority
Inventors:Fatih Orhan
H04L 63/1416H04L 63/1483
56
PatentIndex Score
0
Cited by
46
References
4
Claims

Abstract

There is provided a method to detect phishing websites so as to protect users from sending their sensitive information to criminal servers. When browsing a web site having an input form asking sensitive information, the input fields are recorded (i.e. username field and password field). Then false credentials are generated and submitted in background. The new control layer then checks the response page content whether it includes an input form and if there is an input, it checks whether the form has the same fields as the first form. If the responded page does not have a form, or it has a form but includes different fields than the initial page's form, then the original site is identified as phishing.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system of detecting phishing websites by introducing a control layer between a user and a website to be visited, where the control layer checks whether the website, requiring sensitive information, is a phishing website by comparing input forms after false credential submission comprising:
 at least one endpoint device in use by said user and in communication with a network; 
 said control layer is implemented as a web browser extension usable in real time while said user is browsing any website; 
 said user browsing said website through a web browser and interacting with said website; said website having a first input form; 
 a website URL being visited by said user through said web browser having said web browser extension; 
 said control layer deployed on said at least one endpoint device or on said network and tracking said first input form of said website being visited by said user; 
 a whitelist and a blacklist checked by said control layer to find out if said browsed URL is in said whitelist or in said blacklist; 
 a verdict that said website is safe, if said website is found in said whitelist; 
 said verdict that said website is malicious, if said website is found in said blacklist; 
 said verdict that said website is unknown if said website is not found neither in said whitelist nor in said blacklist; 
 said control layer allowing interaction of said user with said website by enabling a permissive functionality; and 
 said control layer blocking access to said website and warn said user about malicious content 
 wherein said control layer detects whether said visited website is phishing or not in real-time, said detecting comprising: 
 visiting unknown website by said user; 
 checking by said control layer if said website has the first input form; 
 allowing by said control layer said user to interact with said website, if unknown website has no input form; marking said website as not phishing; 
 extracting a first and second fields (field1 and field2) from said first input form; 
 generating random credentials for the first field (field 1) and the second field (field 2) and submitting said first input form in background using the random credentials if unknown website has said first input form; 
 analyzing in background the content of said response page retrieved after form submission; 
 checking whether said response page of random credentials submitted form includes any input form or not; 
 marking unknown page as phishing and blocking if said response page has no input form; 
 warning said user about phishing content detection and allowing said user to continue using said website or stop interaction with said website; 
 extracting by said control layer a third and fourth fields (field3, field4) from said second input form presented in said response page; 
 checking whether extracted from said second input from said third and said fourth fields (field3, field4) are the same with the first input form first and second fields (field1 and field2); 
 marking the unknown website as phishing and blocking said unknown website if the third field (field3) and the fourth field (field4) are different from the first field (field1) and the second field (field2); 
 warning said user about phishing content detection and allowing said user to continue using said website or stop interaction with said website; and 
 allowing said user the interaction with said website if the third field (field3) and the fourth field (field4) are the same as the first field (field1) and the second field (field2). 
 
     
     
       2. The system according to  claim 1  further comprising:
 browsing said website where said website has said first input form with username and password input fields asking sensitive information; 
 recording said input fields; 
 generating and submitting false credentials for said input fields in background; 
 checking by said control layer whether content of a response page includes said first input form; said response page having a second input form; 
 checking by said control layer whether said second input form of said response page has input fields which are same as the first input form of said website, if said first input form of said website is included; and 
 identifying said website as a phishing site, if said response page does not have said first input form of said website, or if said response page has said first input form of said website with different fields than the input form of the website. 
 
     
     
       3. The system according to  claim 1  wherein said control layer triggers interaction with said website and analyzes behavior of said website before actual interaction with said user. 
     
     
       4. The system according to  claim 1  wherein said enabling a permissive functionality includes having “Allow this website” button after the false credentials have been submitted once.

Join the waitlist — get patent alerts

Track US12095814B2 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.